密码重置后端功能 [英] Password Reset Backend Functionality
问题描述
如果用户忘记了密码,我在如何从概念上处理密码重置方面会遇到一些麻烦.我一直试图在此 SO答案之后对系统进行建模.
I'm having a little trouble with how to conceptually handle password resets if a user forgets their password. I have been trying to model my system after this SO answer.
这是我当前的设置:
- 用户单击页面上的忘记密码"链接
- 页面会提示他们输入电子邮件地址
- 用户输入电子邮件地址,然后点击向我发送我的信息"
- 当用户点击发送我的信息"时,将在我的password_change_requests表中创建一个新条目,其中包含随机ID,时间和用户名.
- 我向用户发送格式为
http://mysite.net/resetpassword.php?id=xxx&username=yyy的链接
- resetpassword.php文件获取ID和用户名
- resetpassword.php检查password_change_requests中具有用户名和时间尚未到期的行
- 如果找到行,请确保获取的ID与该行中的哈希ID相匹配.
- 如果验证了ID,则使用表单和用于输入新密码的按钮回显html
- 尝试将新密码发送到验证新密码并确认新密码匹配的其他php脚本.
verifyNewPassword.php
- The user clicks forgot password link on page
- The page prompts them to enter their email address
- The user enters email address and hits "Send me my info"
- When the user hits "Send my my info" a new entry is created in my password_change_requests table with a random id, a time, and the user's username.
- I send the user a link that is in the format
http://mysite.net/resetpassword.php?id=xxx&username=yyy - The resetpassword.php file GETs the id and username
- resetpassword.php checks for a row in password_change_requests that has username and a time that is not yet expired
- If row is found, then make sure the id from get matches hashed id in that row.
- If the id is validated then echo html with forms and buttons for entering new password
- Try to send new password to a different php script that verifies new password and confirm new password match.
verifyNewPassword.php
我的设计一定有缺陷,因为如果verifyNewPassword.php中的密码不匹配,我将不知道如何将用户发送回resetpassword.php.我不能只给他们一个链接,单击以将其发送回resetpassword.php,因为该链接还需要GET中的ID和用户名.我尝试将GET数据从resetpassword.php发送到verifyNewPassword.php,但由于html在回显内,所以我无法弄清楚.这是我的代码摘要:
My design must be flawed somehow because I can't figure out how to send the user back to resetpassword.php if the passwords don't match in verifyNewPassword.php. I can't just give them a link to click sending them back to resetpassword.php, because that link also needs the id and username from GET. I tried sending that GET data from resetpassword.php to verifyNewPassword.php, but I can't figure it out since the html is inside an echo. Here is a summary of my code:
resetpassword.php:
resetpassword.php:
if ($tokenFound) {
echo "<html>
<body>
<h1>Password Reset</h1>
<form action='verifyNewPassword.php' method='post'>
<input type='password' name='password' placeholder='New Password'><br>
<input type='password' name='confirmpassword' placeholder='Confirm New Password'><br><br>
<input type='submit' value='Reset Password'>
</form>
</body>
</html>";
}
else {
//notify user token is expired or not found. try to reset password again
echo "not a valid token";
}
verifyNewPassword.php:
verifyNewPassword.php:
if ($password != $confirmpassword) {
print "Passwords don't match. Click <a href=\"resetpassword.php\">here</a> to try again.<br/>";
}
else {
echo "passes match";
}
推荐答案
以任何方式编写此代码,您都会 在verifyNewPassword.php中需要这些xxx和yyy值.最好的解决方案是将它们传递给resetpassword.php时,将它们保存在隐藏的输入中,将它们与POSTed值一起发送,并从verifyNewPassword.php中再次验证它们.
Any way you write this, you will need these xxx and yyy values in verifyNewPassword.php. The best solution would save these in hidden inputs when passed to resetpassword.php, send them along with the POSTed values, and verify them one more time from verifyNewPassword.php.
如果要避免链接,可以发送303响应,将Location标头设置为http://mysite.net/resetpassword.php?id=xxx&username=yyy,如果要显示错误消息,则设置另一个可选标志.
If you want to avoid the link, you can send a 303 response with the Location header set to http://mysite.net/resetpassword.php?id=xxx&username=yyy, with another optional flag set if you wanted to display an error message.
这篇关于密码重置后端功能的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
